Sections

Buttons

  • RSS
  • Hacker
  • Debian
  • GPG
  • GeoURL
  • HD-DVD Decryption Key
  • Open Rights Group

Licence

Creative Commons License

This work is licensed under a Creative Commons Attribution Noncommercial Share Alike 3.0 License.

Copyright © 2006 - 2008 Neil McGovern.

Virus scanning the Debian archive for fun and profit/geek/debian/security

Posed on Wed, 05 Mar 2008 :: /geek/debian/security :: link


As some people may know, I'm a member of the Debian testing security team. As well as tracking all CVE IDs with which packages they affect, we also keep a list of known embedded code copies. Embedded code copies are a bad thing, as they cause no end of problems for the security teams.

One of the problems we've had to find a solution for is: How do we know what statically compiles against a library, or even worse, ships it's own copy?
So, we're looking for something that looks a particular set of bytes in arbitary executeables; a signature of the library if you will. And we do have a rather good tool that can be used to scanning for binary signatures: clamav :)

Step 1

Create a clamav signature

Clamav have a nice guide on how to create signatures on their site. The method I use is fairly simple: find a unique binary string and pass it to sigtool --hex-dump and place it in a nbd file.

Step 2

Scan the archive

for I in `find /mirror/debian/pool/ -name *all.deb`; do 
	clamscan -i -d smarty.ndb --deb --tempdir=/home/maulkin --no-summary \
	--max-space=1024m --stdout $I >> /home/maulkin/smarty.log; 
done;

Step 3

???

Step 4

PROFIT!!!



While I'm talking about testing security, we're all rather busy at the moment in the team, so we could do with some help! If you fancy helping, have a quick read of the intro and come onto #debian-security on irc.debian.org and say hi!